From 3bb71dd049e52a339f8ba1e998dc9215e6bd496f Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 27 May 2025 20:25:21 -0300
Subject: [PATCH] Don't execute deployment roles if packages are not installed

When running the deployment roles, if packages are not installed, an
error of a missing module is shown, which is confusing to users.

By ensuring that either installation or uninstallation only work if a
minimal set of tools is available allows to provide a meaningful message
and let users act on the environment.

For installation, if ipa-server/client-install is not available, the
installation is aborted with a meaningful error. For uninstallation, we
assume that IPA is not installed and gently finish the process with no
errors.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
 roles/ipaclient/tasks/install.yml   | 13 +++++++++++
 roles/ipaclient/tasks/uninstall.yml | 34 ++++++++++++++++++-----------
 roles/ipareplica/tasks/install.yml  | 13 +++++++++++
 roles/ipaserver/tasks/install.yml   | 13 +++++++++++
 roles/ipaserver/tasks/uninstall.yml |  6 +++++
 5 files changed, 66 insertions(+), 13 deletions(-)

diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 7191cecee..ef714d853 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -19,6 +19,19 @@
       name: "{{ _ipapackages }}"
       state: present
 
+- name: Check package availability
+  when: not (ipaclient_install_packages | bool)
+  block:
+    - name: Install - Check package installation
+      ansible.builtin.stat:
+        path: /usr/sbin/ipa-client-install
+      register: __ipa_client_install_available
+
+    - name: Install - Abort installation due to missing packages
+      ansible.builtin.fail:
+        msg: "IPA client packages missing or corrupted"
+      when: not __ipa_client_install_available.stat.exists
+
 - name: Install - Set ipaclient_servers
   ansible.builtin.set_fact:
     ipaclient_servers: "{{ groups['ipaservers'] | list }}"
diff --git a/roles/ipaclient/tasks/uninstall.yml b/roles/ipaclient/tasks/uninstall.yml
index fe5ca0094..60dfe33bf 100644
--- a/roles/ipaclient/tasks/uninstall.yml
+++ b/roles/ipaclient/tasks/uninstall.yml
@@ -1,17 +1,25 @@
 ---
 # tasks to uninstall IPA client
 
-- name: Uninstall - Uninstall IPA client
-  ansible.builtin.command: >
-    /usr/sbin/ipa-client-install
-    --uninstall
-    -U
-  register: uninstall
-  # 2 means that uninstall failed because IPA client was not configured
-  failed_when: uninstall.rc != 0 and uninstall.rc != 2
-  changed_when: uninstall.rc == 0
+- name: Uninstall - Check if ipa-client-install is present
+  ansible.builtin.stat:
+    path: /usr/sbin/ipa-client-install
+  register: __ipa_client_install_available
 
-- name: Uninstall - Unconfigure DNS resolver
-  ipaclient_configure_dns_resolver:
-    state: absent
-  when: ipaclient_cleanup_dns_resolver | bool
+- name: Uninstall - Perform uninstall
+  when: __ipa_client_install_available.stat.exists
+  block:
+  - name: Uninstall - Uninstall IPA client
+    ansible.builtin.command: >
+      /usr/sbin/ipa-client-install
+      --uninstall
+      -U
+    register: uninstall
+    # 2 means that uninstall failed because IPA client was not configured
+    failed_when: uninstall.rc != 0 and uninstall.rc != 2
+    changed_when: uninstall.rc == 0
+
+  - name: Uninstall - Unconfigure DNS resolver
+    ipaclient_configure_dns_resolver:
+      state: absent
+    when: ipaclient_cleanup_dns_resolver | bool
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 76cffffd3..29e85da91 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -38,6 +38,19 @@
       name: "{{ _ipapackages }}"
       state: present
 
+- name: Check package availability
+  when: not (ipareplica_install_packages | bool)
+  block:
+    - name: Install - Check package installation
+      ansible.builtin.stat:
+        path: /usr/sbin/ipa-replica-install
+      register: __ipa_replica_install_available
+
+    - name: Install - Abort installation due to missing packages
+      ansible.builtin.fail:
+        msg: "IPA server packages missing or corrupted"
+      when: not __ipa_replica_install_available.stat.exists
+
 - name: Firewall configuration
   when: ipareplica_setup_firewalld | bool
   block:
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index f7ad7472c..a92bcf19c 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -38,6 +38,19 @@
       name: "{{ _ipapackages }}"
       state: present
 
+- name: Check package availability
+  when: not (ipaserver_install_packages | bool)
+  block:
+    - name: Install - Check package installation
+      ansible.builtin.stat:
+        path: /usr/sbin/ipa-server-install
+      register: __ipa_server_install_available
+
+    - name: Install - Abort installation due to missing packages
+      ansible.builtin.fail:
+        msg: "IPA server packages missing or corrupted"
+      when: not __ipa_server_install_available.stat.exists
+
 - name: Install - Firewall configuration
   when: ipaserver_setup_firewalld | bool
   block:
diff --git a/roles/ipaserver/tasks/uninstall.yml b/roles/ipaserver/tasks/uninstall.yml
index d404e2e83..67cfa8e0a 100644
--- a/roles/ipaserver/tasks/uninstall.yml
+++ b/roles/ipaserver/tasks/uninstall.yml
@@ -42,6 +42,11 @@
     when: ipaserver_remove_on_server is defined or
           result_get_connected_server.server is defined
 
+- name: Uninstall - Check if ipa-server-install is present
+  ansible.builtin.stat:
+    path: /usr/sbin/ipa-server-install
+  register: __ipa_server_install_available
+
 - name: Uninstall - Uninstall IPA server
   ansible.builtin.command: >
     /usr/sbin/ipa-server-install
@@ -54,3 +59,4 @@
   # 1 means that uninstall failed because IPA server was not configured
   failed_when: uninstall.rc != 0 and uninstall.rc != 1
   changed_when: uninstall.rc == 0
+  when: __ipa_server_install_available.stat.exists